-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy paththreattel.py
More file actions
147 lines (103 loc) · 3.69 KB
/
threattel.py
File metadata and controls
147 lines (103 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/usr/bin/python
import elasticsearch
import smtplib
from email.mime.text import MIMEText
def checkBadIPs ():
ipData = {}
es = elasticsearch.Elasticsearch(['http://localhost:9200']) #put your own elasticsearch IP in here
print 'Checking Blocklist.de known bots against Netflow database...'
try:
with open('/tmp/blocklist_bots.txt') as f:
blocklistDeBots = f.readlines()
except Exception,e:
print 'Error opening Blocklist.de IP data.'
for badIP in blocklistDeBots:
if ':' not in badIP: #Ignore IPv6 addresses since we don't use.
match = es.count(index='logstash-*',q=badIP.rstrip() )
if match['count'] > 0:
ipData[badIP.rstrip()] = match['count']
with open('/tmp/mailout.txt','w') as f:
f.write('\n\n-Blocklist.de known bot matches-\n')
sortIPOutput(ipData)
#print ipData
f.close()
print 'Checking Feodo Tracker Trojan known bad IP list...'
try:
with open('/tmp/feodoipblock.txt') as f:
feodoBots = f.readlines()
except Exception,e:
print e
print 'Error opening Feodobot IP data.'
pass
for badIP in feodoBots:
if '#' not in badIP and badIP.rstrip() != '0':
match = es.count(index='logstash-*',q=badIP.rstrip() )
if match['count'] > 0:
ipData[badIP.rstrip()] = match['count']
with open('/tmp/mailout.txt','a') as f:
f.write('\n\n-Feodo/Cridex/Bugat Trojan Activity-\n')
sortIPOutput(ipData)
f.close()
print 'Checking AlientVault IP Reputation Data...'
try:
with open('/tmp/avbots.txt') as f:
alienVaultRep = f.readlines()
except Exception,e:
print e
print 'Error opening AlienVault reputation data.'
scanDict = {}
maliciousDict = {}
malwareDict = {}
cAndcDict = {}
otherDict = {}
spamDict = {}
for badIP in alienVaultRep:
match = es.count(index = 'logstash-*',q=badIP.split('#')[0].rstrip() )
if match['count'] > 0:
if 'Scanning' in badIP.split('#')[3]:
scanDict[badIP.split('#')[0] ] = match['count']
if 'Malicious' in badIP.split('#')[3]:
maliciousDict[badIP.split('#')[0] ] = match['count']
if 'Malware' in badIP.split('#')[3]:
malwareDict[badIP.split('#')[0] ] = match['count']
if 'C&C' in badIP.split('#')[3]:
cAndcDict[badIP.split('#')[0] ] = match['count']
if 'Spamming' in badIP.split('#')[3]:
spamDict[badIP.split('#')[0] ] = match['count']
with open('/tmp/mailout.txt','a') as f:
f.write('\n\n-AlienVault Reputation List-Malicious Hosts-\n')
sortIPOutput(maliciousDict)
with open('/tmp/mailout.txt','a') as f:
f.write('-AlienVault Reputation List-Malware Domains-\n')
sortIPOutput(malwareDict)
with open('/tmp/mailout.txt','a') as f:
f.write('\n\n-AlienVault Reputation List-Command And Control IPs-\n')
sortIPOutput(cAndcDict)
with open('/tmp/mailout.txt','a') as f:
f.write('\n\n-AlientVault Reputation List-Spamming-\n')
sortIPOutput(spamDict)
with open('/tmp/mailout.txt','a') as f:
f.write('-\n\nAlienVault Reputation List-Scanners-\n')
sortIPOutput(scanDict)
sendReport('localhost') #put your mail server IP in here
def sendReport(mailServer):
report = open('/tmp/mailout.txt','rb')
msg = MIMEText(report.read() )
report.close()
#Specify your sender and recipients here
msg['Subject'] = 'Daily Threat Intelligence Summary'
msg['From'] = 'threattel@me.com'
msg['To'] = 'incidentresponse@me.com'
s = smtplib.SMTP(mailServer)
s.sendmail('threattel@me.com','incidentresponse@me.com',msg.as_string() ) #send the message here
return
def sortIPOutput (ipArray):
while len(ipArray) > 0:
with open('/tmp/mailout.txt', 'a') as outFile:
outFile.write(max(ipArray, key=ipArray.get) + ',' + str(ipArray[max(ipArray, key=ipArray.get)]) + '\n' )
del ipArray[max(ipArray, key=ipArray.get)]
return
def main():
checkBadIPs()
if __name__ == '__main__':
main()